On Mon, Feb 16, 2009 at 6:51 AM, Shimon Lebowitz <[email protected]> wrote:
> Having been asked just last week, by a member of the > system 'superuser' group, to increase his timeout-lockup > in the session manager from 10 to 20 (!) minutes, > I definitely agree with Brian! Provided that the software is robust enough that it does not leave sessions open that could be picked up by someone else (yes, I've seen those) then I think closing unused "hidden" sessions does not add a lot to security. It does increase the irritation and eventually makes people feel less responsible for security themselves. When you push too hard with password rules and change schedules, people end up using the same password everywhere, even run programs to change it everywhere at the same time. At one installation where I worked, a short session time-out was in use. It was not uncommon for folks to have the password under a programmable key in their 3270 emulator. Or even program the entire VM logon in the emulator... And obviously it was also popular to run a program in your idle CMS session that would make it not appear idle. Clearly this does not achieve anything and increases the cost. Rob
